|
Measures reported by AzrADGroupTest
Microsoft Azure AD Groups are collections of users and other principals who share access to resources in Microsoft services or in your app. Azure Active Directory (Azure AD) lets you use groups to manage access to your cloud-based apps, on-premises apps, and your resources.
Azure AD helps you give access to your organization's resources by providing access rights to a single user or to an entire Azure AD group. Using groups lets the resource owner (or Azure AD directory owner), assign a set of access permissions to all the members of the group, instead of having to provide the rights one-by-one.
To ease management, administrators must regularly ‘declutter’ their AD organization - i.e., identify and remove inactive/unwanted groups, empty groups, duplicate groups, or incorrectly configured groups. In the case of ‘active’ groups too, administrators should know who are the members of such groups. This is because, if group members are carelessly chosen, then sometimes, malicious users may gain access to critical apps/resources and wreak havoc. For this, administrators should periodically review group membership and make changes if required. Besides groups members, administrators should also pay attention to group owners. It is recommended that a group has at least one owner. Sometimes however, when users are directly deleted from Azure Active Directory, you may suddenly find a few groups ‘orphaned’ - i.e., without any owners. It is good administrative practice to identify such groups quickly and assign an owner to them. Using the AzrADGroupTest, administrators can achieve all of the above!
This test periodically audits AD groups and:
Promptly pinpoints inactive groups Reports the count and names of users in each group, thereby leading administrators to empty groups or groups configured with wrong members; Reveals the number and names of owners per group, so that orphaned groups can be rapidly identified
Outputs of the test : One set of results for each Azure Active Directory Group
The measures made by this test are as follows:
| Measurement |
Description |
Measurement Unit |
Interpretation |
| Group_status |
Indicates the current status of this AD group. |
|
The values reported by this measure and its numeric equivalents are mentioned in the table below:
| Measure Values |
Numeric Values |
| Inactive |
0 |
| Active |
1 |
Note:
By default, this measure reports the Measure Values listed in the table above to indicate the current status of an Azure AD group. The graph of this measure however, represents the same using the numeric equivalents only.
The detailed diagnosis of this measure if enabled, reveals the complete group configuration, including group type, its creation date, the group mail ID, the options enabled for the group, and more.
|
| Group_type |
Indicates the type of this AD group. |
|
The values reported by this measure and its numeric equivalents are mentioned in the table below:
| Measure Values |
Numeric Values |
| Office 365 group |
1 |
| Mail enabled security |
2 |
| Security enabled |
3 |
| Distribution group |
4 |
Note:
By default, this measure reports the Measure Values listed in the table above to indicate the group type. The graph of this measure however, represents the same using the numeric equivalents only. |
| Is_dynamic_enabled |
Indicates whether/not dynamic membership is enabled for this group? |
|
In Azure Active Directory (Azure AD), you can create complex attribute-based rules to enable dynamic memberships for groups. Dynamic group membership reduces the administrative overhead of adding and removing users. When any attributes of a user or device change, the system evaluates all dynamic group rules in a directory to see if the change would trigger any group adds or removes. If a user or device satisfies a rule on a group, they are added as a member of that group. If they no longer satisfy the rule, they are removed. You cannot manually add or remove a member of a dynamic group.
The values reported by this measure and its numeric equivalents are mentioned in the table below:
| Measure Values |
Numeric Values |
| False |
0 |
| True |
1 |
Note:
By default, this measure reports the Measure Values listed in the table above to indicate whether/not dynamic membership is enabled for a group. The graph of this measure however, represents the same using the numeric equivalents only. |
| Group_size |
Indicates the number of members assigned to this group. |
Number |
If this measure reports the value 0, it means that the group is empty. Empty groups are good candidates for deletion.
For non-empty groups, use the detailed diagnosis of this measure, if enabled, to know the name, ID , and type of each member of the group. |
| Group_member_of |
Indicates the number of groups and administrative units of which this group is a direct member. |
Number |
Use the detailed diagnosis of this measure to know which groups/administrative units include this group as a direct member. |
| Is_owner_assigned |
Indicates the number of owners assigned to this group. |
Number |
If this measure reports the value 0 for any group, it means that the group is an orphaned group.
A non-zero value for this measure on the other hand, implies that one/more owners exist for that group. In this case, you can use the detailed diagnosis of this measure to know who the owners are. The name, ID , and title of each owner are reported as part of detailed diagnostics. |
|